The Day That Guccifer 2.0 Quit Hacking The DNC

Disobedient Media recently reported on discoveries made by the Forensicator in their report, Media Mishaps: Early Guccifer 2 Coverage. In our previous coverage of the Forensicator's work, we discussed the essential role played by the media in ensuring that the Guccifer 2.0 persona received wide recognition by successfully linking Guccifer 2.0’s documents with the DNC’s claims that Russian state-sponsored hackers had breached their servers.

This report will focus on an unreported story: After the fact, the DNC quietly changed an important theme in their Russian hacking narrative. Initially, the DNC passively supported the notion that Guccifer 2.0 stole a copy of a Trump opposition report by penetrating the DNC at the behest of the Russian state. Then over a year later, an un-named ex-DNC official tells us that this document in fact came from Podesta’s emails, not the DNC. This single statement by a DNC official invalidated the circumstantial evidence that had been used to support the DNC’s Russian hacking claims, and represents a groundbreaking contradiction that has gone unobserved by establishment press outlets.

This report will also discuss numerous mistakes made by various legacy press outlets in their obsessive focus on the Russian hacking narrative and their rush to judgment in the matter.

A Late (and Quiet) Change in the DNC Russian Hacking Narrative

In November 2017, the DNC changed their Russian hacking narrative via their proxies in the legacy media. The Associated Press published, Inside story: How Russians hacked the Democrats’ emails; they cite an anonymous former DNC official who asserts that Guccifer 2.0’s first document (the Trump opposition report) did not originate in the DNC as initially reported. The importance of this contradiction, combined with earlier allegations of hacking the DNC made by Guccifer 2.0, cannot be overstated.

The Associated Press wrote in November 2017:

“…There were signs of dishonesty from the start. The first document Guccifer 2.0 published on June 15 came not from the DNC as advertised but from Podesta’s inbox, according to a former DNC official who spoke on condition of anonymity because he was not authorized to speak to the press.”

By classifying Guccifer 2.0’s claim to have obtained the Trump Opposition Report through a breach of the DNC as a sign of dishonesty, the Associated Press uses the Guccifer 2.0 persona’s widely held claim as an example of contradiction with their new version of the 'official' Russian hacking narrative. In so doing, the AP makes the hacking allegations entirely nebulous: a fantasy narrative that can be neither proven nor disproven but easily edited and rearranged when convenient. Incredibly, the AP’s article also contradicts the claims made by the DNC themselves, and so-called papers of record, including the Washington Post.

By returning to the genesis of the Russian hacking narrative, we find that the AP's November report runs contrary to the DNC's initial claims, as reported by The Washington Post, in an article titled, Russian Government Hackers Penetrated DNC, Stole Opposition Research OnTrump. When reviewing this early history of the matter, it becomes clear that it is logically impossible to separate the Guccifer 2.0 persona from the allegations of a Kremlin-backed hack of the DNC. Critical statements in that initial report by the Washington Post are highlighted below for emphasis:

“Russian government hackers penetrated the computer network of the Democratic National Committee and gained access to the entire database of opposition research on GOP Presidential candidate Donald Trump, according to committee officials and security experts who responded to the breach…

…[Fancy Bear] broke into the network in late April and targeted the opposition research files. It was this breach that set off the alarm. The hackers stole two files,[Shawn] Henry said.”

By taking this later (2017) stance, the Associated Press contradicts the "official" Russian hacking narrative involving Guccifer 2.0 (as implied by the DNC’s own security firm) and which had, until that point, been characterized by the corporate press as Russian-hacking-gospel-truth. By seamlessly excising Guccifer 2.0 from culpability within a new timeline of events, the Associated Press makes the entire hacking story a fantasy narrative that can be neither proven nor disproven but must not be questioned.

The Forensicator explained to Disobedient Media:

"Investigators would have been able to rapidly determine if there were textual differences between Guccifer 2.0’s document and the DNC’s. If there were no textual differences, an initial determination might have been difficult, because Guccifer 2.0 went to some trouble to obscure internal metadata, known as Revision Save ID’s (RSID’s), which can be used to uniquely identify sections of text that have been changed and added into a Word document. However, when the Podesta emails were published in October 2016, investigators should have been able to source Guccifer 2.0’s document to the Podesta emails quickly. They would have been able to do this before the 2016 election, a full year ahead of the AP report."[Emphasis Added]

The Forensicator then referred this author to a table in his report, depicting the metadata for Podesta’s version of the Trump opposition report:

As we can see, the document was saved by Tony Carrk, who worked as Research Director for Hillary for America at the time. This document was attached to this Podesta email.

The Forensicator continued, saying: "We can see that Mr. Carrk made some change that took less than one minute to complete. If investigators compared Carrk’s version of the document to the original DNC document, they should have been able to quickly determine that Guccifer 2’s document is sourced from Podesta’s emails and not directly from the DNC. For this, an RSID correlation would have probably been telling."

Why did the DNC, their security consultant firm Crowdstrike, and government investigators wait so long to tell us that Guccifer 2.0 did not obtain their copy of the Trump opposition report directly from the DNC? Why did Crowdstrike tell the Washington Post that the opposition report files had been stolen specifically from the DNC network if that were not the case?

The legacy press chorus had initially linked Guccifer 2.0’s first document, and the “Russian fingerprints” therein to the Trump opposition report that the DNC claimed to have been stolen by Russian state-sponsored hackers. What prompted them to change their story, contradicting not only Guccifer 2.0 but the DNC themselves? Should we now assess the DNC’s claim that the document had been taken by Russian hackers to be untrue?

Ultimately, it is the DNC’s claim that they were breached by Russian hackers, who stole the Trump opposition report, which directly belies their allegation - because the document did not come from the DNC, but from John Podesta’s emails.

Is it possible that Mueller’s investigation may have taken a closer look into the origin of Guccifer 2.0’s initial document, realizing that it was sourced from Podesta’s email? The DNC and government investigators may have then decided that the best way to obscure the resulting contradictory evidence was by letting it quietly leak via a “former DNC official who spoke on the condition of anonymity,” in the November 2017 article published by the Associated Press.

Given the repeated contradictions from the DNC and corporate media in their description of Russian interference in the 2016 US Presidential race, how can the public be expected to believe that their other claims have any legitimacy whatsoever?

The AP’s November 2017 article also noticed that Guccifer 2.0’s first published document contained the word CONFIDENTIAL, while the original document did not. This was old news to anyone who had been paying attention; Adam Carteranalyzed this artifact nine months earlier:

What is interesting here is that the AP admits that such elements of the document's publication had been fabricated, but did not then follow that realization by questioning other possibly fabricated elements of the documents, such as the Russian-language error messages. The AP certainly did not concern themselves with why a Russian state-sponsored hacker would benefit from airbrushing "confidential" onto such a report. Their claim that it was to attract media attention seems quite weak.

AP surmised that Guccifer 2.0 "air-brush[ed]" the word "confidential" into the document to "catch the reporter's attention.” Both Carter and the Forensicator have explained that Guccifer 2.0 used a complex process, involving an intermediate template document, to inject this "alluring" fake. The Forensicator told this author that they take the position that this intermediate template file (ostensibly needed to add "CONFIDENTIAL" to the document) had an additional purpose.

The Forensicator explained that, for some readers and researchers, the copy/paste of an intermediate (RTF) copy of the Trump opposition report into a template document might be interpreted simply as an unconventional method for injecting "confidential" into 1.doc. However, the Forensicator added, it can also be interpreted as a "cover" for the final copy/paste operation which was a necessary step in the evolution of Guccifer 2.0’s first document. It was needed to embed the Russian error messages into the final document (1.doc).

Once again, establishment media failed to pursue their cited evidence with due diligence. This is a grave mistake, especially given the way in which Guccifer 2.0's alleged 'hacking' has been used as a major bolstering point for increased tensions between the United States and Russia.

Initially, Gawker and The Smoking Gun Didn't Notice Iron Felix

Guccifer 2.0 made his noisy debut on June 15, 2016 (the day after the DNC publicly claimed it had been breached by Russian state-sponsored hackers). It also appears that Guccifer 2.0 gave advanced copies of their doctored version of the Trump opposition report to two media outlets, The Smoking Gun and Gawker.

In their full analysis, the Forensicator wrote that it was surprising that neither outlet reported on the easily viewed "Last Saved By" property, which listed "Феликс Эдмундович" (aka "Iron Felix") as the user who last saved the document. This unique name was noticed by various social media observers that same day and by Ars Technica the following day. How did the journalists miss this, and why?

Both Gawker and The Smoking Gun published Guccifer 2.0's Trump opposition report in full as a PDF file. Their PDF files have the now infamous Cyrillic error messages in them; they appear in the last few pages of their PDF files. Ars Technica dubbed these error messages, "Russian fingerprints."

Although both outlets reviewed this document in some detail, neither outlet noticed the Russian error messages in their first reports. The Forensicator suggests that, given their choice of word processing applications, they would have seen the Russian error messages, if only they had viewed the last few pages of each file. That is, unless (perhaps) they received their PDF's directly from Guccifer 2.0 or another third party and they just passed them along.

Ars Technica was Confused When They Didn't See the Russian Error Messages in Guccifer 2.0's Word Document

Ars Technica reported on Guccifer 2.0's publication of the Trump Opposition Report the day after Guccifer 2.0 arrived on the scene. They quickly noted that there were Russian language error messages in the PDF file posted by Gawker. They also noticed that when they viewed 1.doc themselves, they didn't see the Russian error messages. The Forensicator told Disobedient Media that this was because Ars Technica used Word for Windows, which displayed the error messages in English.

Ars Technica suggested that The Smoking Gun's PDF may have been generated by Guccifer 2.0 on a system that had Russian language settings enabled.

While this explanation appears reasonable, it is surprising (if that was the case) that Gawker didn't tell us that their PDF came directly from Guccifer 2.0. The Smoking Gun also published a PDF with Russian error messages in it. Are we to believe that The Smoking Gun also received their PDF from Guccifer 2.0 or a third party, and failed to report on this fact?

IVN: Did Gawker Outsource Their Analysis to Russia?

An obscure media outlet, Independent Voter Network, raised various theories on the initial reporting done by The Smoking Gun and Gawker. One of their wilder theories suggested that Gawker had outsourced their analysis to a Russian sub-contractor. The Forensicator evaluated that claim, ultimately concluding that Independent Voter Network had gone on a wild goose chase because the "clue" they followed pointed to Gawker's document management service known as “DocumentCloud.” DocumentCloud uses a technology that they call "CloudCrowd," which is what IVN saw in the PDF that Gawker uploaded. The Forensicator referred to a DocumentCloud job advertisement for confirmation of his conclusion.

The Forensicator told Disobedient Media: "We found CloudCrowd; it is not an outsourcing company. Probably not Russian, either."

Business Insider: Did Guccifer 2.0 Photoshop “Confidential” Into his Document Screenshots?

When Business Insider noted the presence of "CONFIDENTIAL" in Guccifer 2.0's document, they claimed that Guccifer 2.0 might have “photoshopped” his screenshots (placed on his blog site) to create the watermark and page footer with “confidential” in them.

The Forensicator countered that claim by pointing out that the Business Insider journalist likely viewed the document with "Full-Screen Reading" selected.

This mode will disable the display of the watermark and page headers and footers when viewed by the journalist, but they will be displayed when printed to PDF. No Photoshop required.

Conclusion

The close timing of the DNC announcement and Guccifer 2.0’s publication of the Trump report, as well as reports of “Russian fingerprints” in those documents, created a strong link between Guccifer 2.0 and the Russian hackers who allegedly stole DNC files. Over a year later, the Associated Press tells us that this first narrative was wrong, contradicting the DNC’s claims as well as much of the early legacy press reports on the issue. Must we concurrently accept the narrative that Russians hacked the DNC if claims that they had done so were not only based on flimsy evidence but have now been contradicted completely?

As far as documented evidence of election interference goes, one does not have to stray far from the actors in the Russian hacking saga to discover that the DNC and establishment Democrats were, instead of victims of meddling, the perpetrators of such abuse of the American Democratic process. In 2017 the NYC Board of Elections admitted that it had illegally purged hundreds of thousands of Democratic voters from the election roles, preventing them from voting in the 2016 Democratic primaries. This abuse of power represents just one in a constellation of legitimate examples of abuse that took place at the hands of corporatized Democrats in order to unfairly and illegally ensure a Clinton nomination.